[Snort-devel] Performance increase while duplicating processes

Jonathan Saint-Léger tan.saintleger at ...2499...
Thu Jul 1 12:15:35 EDT 2010


Hi all,

I'm (still) working on getting the best out of Snort, and I found out that
Sourcefire's rules got a great speed increase while using host attribute
tables (smaller drop rate), but Emerging Threats rules were not as faster as
Sourcefire's (even after adding the metadata:service to every possible ET
rule, based on the port field of the headers).

So my idea was to use two Snort processes, one loaded with ET rules and the
other one with VRT rules, so that the VRT rules don't suffer from  ET rules
"latency".

I was surprised by the very nice figures measured (with the pfring
information data placed in /proc/net/pf_ring/<pid>.<nic> ) so I decided to
do a trivial test: use one single snort configuration, measure the drop rate
when launching 1 snort process, and measure the drop rate of this snort
config when launching several identical snort processes. Since I'm working
on a dual quad-core, I launched 9 processes for the second test, expecting
to see a substantial increase in drops for this second test.

For the first result, I measured around 30% of drops (Tot pkt Lost / Tot
Packets of the pf_ring data), and for the second test, each snort process
had around 20% of drops.
(The machine I am working on is a dual Xeon E5345 with 8gig Ram, on a
gigabit network.)


Is there any explanation about these strange results? Did anybody already
faced the same situtation?

thx in advance,

--
Jonathan Saint-Léger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100701/5f596c2c/attachment.html>


More information about the Snort-devel mailing list